Checklist for minimum IT security in 2023
Have you remembered to factor IT security into your 2023 budget? Too many small and medium-sized business owners assume they're safe from digital attacks. After all, aren't digital attackers more likely to target the big companies with lots of capital?
The truth is that they know that smaller businesses often lack the budget or sufficient knowledge of IT security, and that there is a high chance that the attack against them will succeed.
That's why it's high time you put in place a minimum level of IT security so that your business can withstand future attack attempts.
1. Secure your email accounts
Regardless of the size of your business, email communication is where the most targeted attacks occur. By using robust email security solutions, you reduce the number of attacks and attack attempts against your business. Header analysis, link scanning, sandboxing and encryption will stop a large number of these emails from reaching your inbox. Unfortunately, there is no guarantee that no emails from non-legitimate senders will ever get through, but should you click on an unsafe link in an email, access will be blocked so that you do not reach the malicious page.
2. System for Asset Management
If your assets are not managed properly, unknown and outdated hardware and software components will be vulnerable to vulnerabilities and threats, and your systems will attract cybercriminals. An employee may have a PC, one or more mobile phones and perhaps a tablet. Perhaps the employee has access to different servers and cloud applications. This makes it very difficult to manage and track all these components. A single vulnerable component is all a cybercriminal needs to get into your organization. Start using a good inventory management solution. An ITAM solution can help your organization build the necessary security strategies to improve your chances of preventing an attack. Once you have a clear picture of what you have, you'll be able to easily manage it.
3. Back up critical data
Always make a backup of your critical data. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, personnel files, accounts receivable and supplier files. A cybercriminal will make sure all your backups are unusable before demanding a ransom from you. That's why you should back up outside your on-premises infrastructure or a cloud-based solution as well, and validate that the backup is complete and usable as a practice. Have you tested how long it takes to retrieve data from backup? Do you have an overview of which files need to be prioritized first?
Read all about the backup plan in the article: What is your backup plan?
4. Use a password manager
The password manager helps you create new passwords that are long, illogical, contain numbers, characters, upper and lower case letters. This means you don't have to store passwords insecurely in your browser or as a note on your phone, where it's easy for unauthorized people to get hold of them. You also don't have to memorize them all or press "Forgot password" - the password manager remembers your passwords for you.
5. Enable two-factor authentication
Two-factor authentication (2FA/MFA) adds an extra layer of security to the login process to make sure it's actually you logging in. Bank ID is a good example of this. It makes it harder for attackers to gain access to a person's devices or user accounts, as they need more than the victim's password to get in. 2FA can be enabled on most user accounts such as email, user portals and social media. You can find it mostly under settings -> privacy - > two-factor authentication.
6. Automate security updates
Are you putting off updates to your phone or software? These updates are not just for new features or looks, but to close security holes that have been discovered. Vulnerabilities in systems are exploited by attackers, which is why it's so important to install the security update right away. In fact, this is one of the most common ways unauthorized people get into a company's machines and networks. Get a complete overview of the hardware and software on your company's machines with a patch management system. The solution also ensures that all systems are updated automatically by installing critical patches as they become available. See 6 steps for optimal patch management in your business
7. Control access
How do you keep track of who has access to sensitive information inside and outside the company?
Who should have what access, who has left and who should have administrator access in your company? As a manager, you are the one who should control access. Access management should be updated regularly and it should ensure that employees only have access to what is necessary to do their job.
A receptionist may not need an admin account for everyday tasks. Administrative rights should only be granted to IT staff and key personnel. Read all about access management and how to easily get an overview in our free e-book.
8. Secure the endpoints
82% of all data attacks are caused by human error. Humans are still the weakest link in IT security, which is why you need endpoint security for all the devices and systems in your business. There are different solutions with varying degrees of detection and response. Should an employee accidentally open an email attachment containing ransomware, endpoint security solutions will scan the file first, then delete it and isolate the endpoint from the network. The same with malicious links. If you click on the wrong one, the software will stop you from getting to the malicious page. It also assumes that the endpoint security software is configured correctly.
9. Security monitoring
Your security systems should be monitored in a security operationscenter (SOC) so that they are up to date at all times. Most SOC providers will only alert you when you are attacked or after your services have been compromised. So choose a security partner that works proactively and secures your services with simple adjustments. One that is always on the lookout for potential vulnerabilities in your business. This significantly reduces the chance of you ending up on the criminals' radar and being exposed to attacks.
10. Safety training for employees
Employees often have lower security knowledge, while it has become very easy for attackers to pretend to be serious actors. That's why it's effective for those with a greater chance of winning when they target employees in companies. This is often done through emails that fish for sensitive information (phishing), text messages that do the same (smishing) or highly targeted messages where they, for example, pretend to be the organizer of an event you have actually attended (spear-phishing).
Train your employees to spot fake emails and messages by:
Show them what to look for
Test them with examples of phishing
Hold short safety courses with relevant topics
Inform them about where to report and what to do if they have actually clicked on a fake link or attachment
11. Have your contingency plan ready
Prepare for a security incident with a clear contingency plan. If you're not sure what an IT security contingency plan should include, read our article: 5 points for your contingency plan.
You can always contact a security vendor that offers security monitoring to mitigate the risks mentioned above.
Do you need help with your IT security?
Fill out the form below to be contacted by one of our IT security specialists: